Addressing Anonymous Abuses: Measuring the Effects of Technical Mechanisms on Reported User Behaviors - MIT
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
CHI 2020 Paper CHI 2020, April 25–30, 2020, Honolulu, HI, USA
Addressing Anonymous Abuses: Measuring the Effects
of Technical Mechanisms on Reported User Behaviors
Wajeeha Ahmad Ilaria Liccardi
MIT CSAIL MIT CSAIL
Cambridge, MA, USA Cambridge, MA, USA
wajeeha@csail.mit.edu ilaria@csail.mit.edu
ABSTRACT accessing information or censored materials [39, 76], gathering
Anonymous networks intended to enhance privacy and evade cen- intelligence or tips [59], and discussing stigmatized topics [30].
sorship are also being exploited for abusive activities. Technical
Yet anonymity makes it difficult to trace or exclude abusive
schemes have been proposed to selectively revoke the anonymity
users. Some exploit the veil of anonymity to engage in illegal
of abusive users, or simply limit them from anonymously
drug exchanges [9], harassment [46] and terrorist plots [13,
accessing online service providers. We designed an empirical
75]. Moreover, the Tor anonymous network suffers from botnet
survey study to assess the effects of deploying these schemes on
attacks [36, 53, 66] among other abuses. There also exist botnet
75 users of the Tor anonymous network. We evaluated proposed
constructions that researchers claim could be nearly impossible to
schemes based on examples of the intended or abusive use cases
subvert without blocking all access to anonymous networks [61].
they may address, their technical implementation and the types
Because some use Tor to attack services, spam forums and scan
of entities responsible for enforcing them. Our results show
for vulnerabilities, many service providers and content delivery
that revocable anonymity schemes would particularly deter the
networks treat all users connecting from known anonymous
intended uses of anonymous networks. We found a lower reported
networks as “second-class” web citizens [45], forcing them to
decrease in usage for schemes addressing spam than those directly
solve multiple CAPTCHAs or blocking them.
compromising free expression. However, participants were con-
cerned that all technical mechanisms for addressing anonymous Can we simultaneously promote the legitimate uses of anonymous
abuses could be exploited beyond their intended goals (51.7%) to networks while mitigating their abuses? In 2007, Tor’s original de-
harm users (43.8%). Participants were distrustful of the enforcing velopers remarked: “Simple technical mechanisms can remove the
entities involved (43.8%) and concerned about being unable to ability to abuse anonymously without undermining the ability to
verify (49.3%) how particular mechanisms were applied. communicate anonymously” [35]. But do users perceive technical
mechanisms as effectively curtailing anonymous abuses without
Author Keywords reducing their own legitimate uses? What additional factors need
Anonymous networks; Trust; Abuse; Empirical study; Tor. to be considered in making such decisions? Using both quan-
titative and qualitative approaches, we study the desirability of
CCS Concepts different mechanisms to deter abuse among users of anonymous
•Security and privacy ! Social aspects of security and pri- networks. We show how and why three main factors associated
vacy; •Human-centered computing ! User studies; •Social with proposals for countering abuses affect the intended uses
and professional topics ! Censorship; Surveillance; of anonymous networks. We illustrate how users’ awareness of
different activities conducted via anonymous networks could re-
flect their responses to various technical mechanisms. Finally, we
INTRODUCTION
describe how users’ responses inform policies for the design and
In an era of mass surveillance by governments and corporations implementation of measures for addressing anonymous abuses.
alike, online anonymity is often considered indispensable to free
expression and individual privacy. People seek anonymity online RELATED RESEARCH
for various important reasons such as to gain protection from
Anonymous networks were designed to prevent online tracking in
governments and repressive regimes [67, 74], evade commercial
order to protect free expression and enhance privacy [20, 34, 60]
surveillance, better manage boundaries in personal and profes-
as well as resist censorship [33]. Many studies detail anonymity
sional relationships, and avoid harassment from online, offline
as allowing for more disclosure [64] across all intimacy levels
and unspecified entities [38, 44]. Other uses include anonymously
[54], encouraging both beneficial and harmful behaviors in
collaborative learning [23] and other social [25] settings. Several
Permission to make digital or hard copies of all or part of this work for personal or others explore peoples’ motivations for seeking anonymity
classroom use is granted without fee provided that copies are not made or distributed for
profit or commercial advantage and that copies bear this notice and the full citation on ranging from gaining protection against various actors [38, 39,
the first page. Copyrights for components of this work owned by others than the author(s) 44] to general usage and exploration [39, 76]. People attain online
must be honored. Abstracting with credit is permitted. To copy otherwise, or republish,
to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
anonymity by using different tools [72], incorporating behavioral
Request permissions from permissions@acm.org. changes such as creating several accounts [21] or altering
CHI ’20, April 25–30, 2020, Honolulu, HI, USA. personal profiles [71]. Anonymous networks such as Tor, I2P and
© 2020 Association for Computing Machinery.
ACM ISBN 978-1-4503-6708-0/20/04 ...$15.00. Freenet aim to hide users’ network identity (i.e. IP address) from
http://dx.doi.org/10.1145/3313831.3376690
Paper 561 Page 1CHI 2020 Paper CHI 2020, April 25–30, 2020, Honolulu, HI, USA
unwanted observations. Of these, Tor is considered the largest uations involving national security or major crimes, where built-in
network with millions of daily users.1 To prevent tracking of intercept mechanisms are not available [10, 11]. This approach has
users’ communication, Tor reroutes traffic through three randomly been used by law enforcement agencies and is expected to increase
chosen and globally distributed volunteer-run servers called in utility as anonymous tools become more widespread [55].
“nodes” or “relays” [34]. Tor also offers onion services, which
are websites that protect both their own and users’ anonymity. Secondly, access-limiting schemes aim to enable service providers
(e.g. websites) to selectively limit the access of certain users
Debate about advancing or banning online anonymity has been without revealing their identities. Some access-limiting schemes
ongoing among security researchers [28], policy experts [2, 22, 43, incorporate TTPs: in Nymble, service providers require a TTP
49], and community designers [48] among others. While users’ (the “nymble manager”) to provide a token linking the user’s
opinions range from viewing Tor as a force for freedom to a tool identity to their actions in order to temporarily block the user
for cybercriminals and terrorists, many believe that the balance [70]. TorPolice aims to allow service providers to rate-limit only
between individual privacy and national security should be closer those anonymous users engaging in botnet-enabled abuses (e.g.
to privacy [39]. Some users have also complained about insuf- spamming forums, scraping content, etc.) using CAPTCHAs or
ficient protection specifically from authorities or big companies computational puzzles [52]. In access-limiting schemes without
with a few raising concerns about the criminal content of onion trusted third parties, users present zero-knowledge proofs to a
services [76]. From the perspective of some open collaboration service provider to demonstrate that they are not part of the service
service providers, anonymous users make valuable contributions provider’s blacklist before accessing its services [4, 5, 6, 16, 69].
and do not violate community norms more frequently than other
Our work extends prior research in three ways. First, we test
users [56]. According to one study, Tor users contribute similar
the desirability and impact of proposed technical mechanisms
proportions of damaging and good faith edits on Wikipedia as
non-Tor users with no substantial differences in quality [68]. on actual users of anonymous networks. Second, we investigate
why users respond differently to various technical mechanisms
However, online anonymity is also associated with toxic depending on the case, scheme and decision-making entity
behaviors that are hard to control [51]. Given threats from users involved in the mechanism. Finally, we gather data on users’
of anonymous networks [24, 78], websites such as Wikipedia and understanding of abuses of anonymous networks to glean
Slash-dot have had to ban their contributions [41]. While onion insights on the debate of how such issues may be addressed
services have been found to offer both illegal and other content without negatively impacting the intended uses of anonymous
(about human rights, free speech, security, etc.) [14], those networks. This is the first study that explores the tensions
serving criminal and unethical uses including botnets and adult between protecting anonymity and addressing its potential abuses
content are among the most popular services [14, 40, 57, 79]. from the perspective of anonymous network users.
Some claim that the inability to deter the abuse of anonymous
networks hinders their widespread adoption [31, 73] and leads USER STUDY
to service providers blocking all anonymous users [32, 41, 52, Our study was designed to test the effects of proposed anti-abuse
70]. To address these concerns, researchers have proposed several technical mechanisms on current users of anonymous networks.
cryptographic schemes, which fall into two main groups based Specifically, we sought to understand whether users would alter
on their goals: revocable anonymity and access-limiting schemes. their usage of anonymous networks depending on the type of tech-
nical scheme (e.g. revocable anonymity or access limiting scheme)
Revocable anonymity schemes aim to provide anonymity for or- implemented. To capture the diverse social contexts in which these
dinary users, while simultaneously guaranteeing traceability of schemes may be deployed, we also tested the effects of five pop-
abusive users. Such schemes are meant to deter abuse by allow- ular use cases of anonymous networks that may be addressed in
ing potential investigators to find the identity of suspected users. different circumstances (spam, phishing, illegal drug exchange,
Some of these schemes use trusted third parties (TTPs) to register communication and reporting2), and five types of decision-making
all users and revoke the anonymity of certain users [26, 31, 32, entities responsible for addressing potential abuses (anonymous
47, 73, 77]: registration entities aim to offer unique credentials network administrators, non-government organizations, anony-
such as new pseudonyms to enable users to access anonymous net- mous nodes, government agencies and commercial services). We
works whereas revocation entities may cooperate with registration also wished to understand whether users’ decisions might be in-
entities to revoke a user’s anonymity in case of a legal investiga- fluenced by their own prior knowledge of encountered or known
tion. These TTPs may be centralized or implemented distributedly abuses associated with anonymous networks. We aimed to identify
[19, 31, 73, 77] via secret sharing that allows a set of parties to the circumstances, if any, under which users may view technical
reconstruct a secret key only when a sufficient number of them schemes as useful and not impacting or deterring their own usage.
all consent and collaborate to do so [62]. Revocable anonymity In particular, we are interested in investigating:
schemes without TTPs [7, 17] allow investigators to trace back
the source of an anonymous communication stream by requiring • Which factors i.e. case, scheme and/or entity affect users’
all nodes of the anonymous network to reveal their predecessors. self-reported usage of anonymous networks?
Contrasting this approach, researchers have proposed using exist- • Does knowledge of abuses or security vulnerabilities associated
ing software vulnerabilities for lawful access to communications with anonymous networks affect users’ responses to technical
in case of legal investigations since there will always be urgent sit- mechanisms for addressing anonymous abuses?
2 In scenarios presented to participants, communication and reporting
1 https://metrics.torproject.org/userstats-relay-country.html were depicted as being illegal in places where they were undertaken.
Paper 561 Page 2CHI 2020 Paper CHI 2020, April 25–30, 2020, Honolulu, HI, USA
Study Design information about potential abuses was identified and disclosed
We designed our study as an online survey consisting of six sec- in each scheme. Third, we analyzed how each scheme addressed
tions: 1) primary use of the anonymous network; 2) measuring the potential abuses with automated or mediated actions implemented
effects of specific cases, technical schemes and entities on users’ by centralized or decentralized entities. After this initial analysis,
reported behaviors; 3) motivations for using anonymous networks; three researchers abstracted the technical details and implications
prior knowledge of 4) abusive activities and 5) investigators’ exist- of the proposed schemes to derive their similarities and differences
ing de-anonymization practices; and 6) demographics. Only the over six sessions between February 1 and March 7, 2019. We
first two sections were compulsory. Section 2 was the only section then refined the abstract descriptions to be comprehensible to
designed as between-subjects. Section 2 was aimed at investigat- users of different technical backgrounds while still reflecting the
ing the effects of three independent variables: cases (5), schemes overall functionalities and aims of the original proposals.
(5) and entities (5). The combinations of these three variables
We derived five types of schemes. Two involved anonymity
yielded 125 scenarios, which we divided between 5 user groups.
revocation by trusted third parties: "Anonymity revocation by
We ensured that each participant encountered one scenario only
1" i.e. one entity can revoke a user’s anonymity [26, 32, 47],
once in the study to minimize learning and confounding effects.
and "Anonymity revocation by 3" i.e. three entities can revoke
Procedure anonymity only by consensus among themselves as done in
Participants willing to take our study were directed to a Qualtrics distributed revocation schemes [19, 31, 73, 77]. One involved
link. They were first asked about the anonymous services they blocking with the consent of a trusted third party: "Blocking with
used, their “most important or needed” i.e. primary use and fre- TTP" [70]. Two involved access limitations by service providers:
quency of usage of anonymous services (Section 1). Participants "Blocking" [4, 5, 6, 16, 69] and "Rate-limiting" [52].
were then randomly assigned to 1 of the 5 groups.3 Each group We chose five commonly reported use cases of anonymous
contained 25 unique scenarios (Section 2). The order of the networks that various entities may deem worth addressing.
scenarios presented in each group was randomized across partic- Particularly, we were interested in finding out whether there is any
ipants. For each scenario, participants were asked to assume that distinction in the way users regard computer attacks ("spam" and
the anonymous network they used had introduced the described "phishing"), which are regarded as illegitimate uses of anonymous
functionality to address the type of case presented, and then asked networks as opposed to those concerning free expression
two questions. First, how would their own anonymous network ("illegal communication" and "illegal reporting" on censored
usage change for their primary activity? Participants could select topics), which are deemed legitimate in democratic societies, but
from options presented on a Likert scale, ranging from decrease criminalized by some authoritarian regimes. The remainder case
to no change in usage (Figure 1). Second, what reason(s) applied involved the illegal exchange of drugs ("illegal drugs").
to their change in usage or lack thereof? Participants could select
from a randomized list of options and write their own reasons. To allow for a diverse set of potential enforcing entities, we in-
cluded government agencies in the user’s country of residence (e.g.
We asked participants to select their motivations for using anony- appropriate judicial bodies), commercial services (among Google,
mous networks from 20 randomized options synthesized from Comcast or Cloudflare), international non-profit organizations or
prior work (Section 3).4 Participants were asked if they had prior NGOs,5 anonymous nodes of the network (e.g. volunteer-run Tor
knowledge about any “malicious, criminal or unethical” uses of relays), and organizations administrating the anonymous network
anonymous networks (Section 4). Those aware were then asked (e.g. the Tor Project). For schemes involving decision-making
to identify any relevant activities they knew about. We also asked by third parties, the third party was one of these five entities. In
if participants were aware of existing practices by investigators schemes involving decision-making by service providers alone
such as law enforcement to exploit software vulnerabilities for de- (i.e. Blocking and Rate-limiting), the entity was in charge of decid-
anonymizing certain anonymous users, and how knowledge of this ing to limit a user’s access to the anonymous network altogether if
practice affected their usage of anonymous networks (Section 5). sufficient service providers set access limitations for that user. For
Finally, we inquired about age, gender, education level, technical anonymity revocation by three entities via consensus, the entities
skills, employment status, residence and nationality (Section 6). involved were all of the same type, e.g. three anonymous nodes.
Translating Technical Schemes into Testable Scenarios Finally, to understand why users might change their usage of
We analyzed proposed technical schemes (i.e. both revocable anonymous services in response to various anti-abuse mechanisms,
anonymity schemes that aim to selectively trace certain users, and two researchers analyzed how each scheme could be exploited
access-limiting schemes that only seek to block or limit the rate beyond its intended goals over 6 sessions. By evaluating how the
of access of some users) for deterring anonymous abuses along different cases, schemes and entities involved may deter usage,
three dimensions using a systematized framework [37]. First, we we derived a list of 10 potential reasons to present to participants.
analyzed the goals of each scheme to examine how it addresses
the prevention, detection, evidence, judgement and punishment
Participant Recruitment
aspects of countering abuse. Second, we examined how
We launched our survey after receiving ethical approval from the
3 We used the Randomizer element in Qualtrics’ Survey Flow both to
Institutional Review Board at MIT. We primarily targeted Tor
randomly and evenly assign participants within the 5 groups. We used
Qualtrics’ Quotas to ensure equivalent participant numbers in all 5 groups. 5 We varied the NGOs presented for each case type, e.g. "The SpamHaus
4 We examined prior research on why people seek anonymity [38, 39, Project" (spam), "a member of the Anti-Phishing Working Group"
44, 76] and extracted a list of reported motivations from each paper. We (phishing), "Reporters without Borders" (reporting), "Access Now" (com-
then compared and consolidated all reported motivations into 20 options. munication) and "The World Federation Against Drugs" (illegal drugs).
Paper 561 Page 3CHI 2020 Paper CHI 2020, April 25–30, 2020, Honolulu, HI, USA
Figure 1. An example of a scenario involving spam (case), rate-limiting (scheme) and an anonymous node (enforcing entity) as shown to participants.
users via social media, online forums and a Tor-specific mailing and all those who confirmed payment means received at least $10.
list, including through help from the Tor Project. Participants who Because being paid required disclosing PII such as email, some
completed the survey were offered remuneration using a separate participants did not opt-in. As an added incentive, we randomly
form to unlink their responses and respect their anonymity. Our selected 7 participants for additional payments of $40 (5) and
survey ran from March 28 to May 7, 2019. $90 (2). Among the 100 completed responses, 75 responded
consistently to both attention checks (15 per group).6
Study Validity
To ensure that participants understood our survey questions and Nine participants were female (avg. age 33.5), 48 were male
scenarios consistently, we tested the entire study with ten people of (avg. age 32.6), and 7 chose “Other” (avg. age 36.6) while
varying ages, education levels, genders, employment statuses and the remainder did not disclose their gender (11) and age (9).
technical backgrounds. After completing the survey, these partici- Education levels varied from having no diploma (4) to having
pants were asked specific questions, e.g. “What do you understand completed high school (19), college or university (26), and
by ’[survey question]’?” and “Could you walk me through how post-graduate work (17) whereas 9 did not disclose their highest
this scenario works?”. These systematic probes [27] were targeted completed education level. Employment status varied from
at evaluating how their interpretations matched our intended mean- unemployed (10) to self-employed (13), part-time (9), full-time
ing. This allowed us to both simplify wording for non-technical (25), other (7) and undisclosed (11). Participants described
users and include specific implementation details to allow more themselves as “very technical” (26), “fairly technical” (24),
technical users to understand the implications of the schemes. “somewhat technical” (19), “slightly technical” (1), “not at all
technical” (1) or did not disclose their technical skills (4).
Data Validity
To ensure that participants did not randomly respond to our sce- Among participants who answered, the largest number both lived
narios, we incorporated attention checks [12] in the form of two (25) and were citizens (20) of the USA, followed by Germany
repeated scenarios. These were used to validate users’ responses (5) and Canada (4). Two reported multiple nationalities. Of those
and remove participants with inconsistent answers. The attention who disclosed both countries of residence (51) and nationality
check responses were removed from the data-set prior to analysis. (46), all but four lived and were from the same country; four
lived in the US but were from Tunisia (1), Italy (1) and India
Data Analysis (2). Other countries represented included Bulgaria, Catalonia,
Sections 1, 3, 4, 5 and 6 were analyzed by aggregating the number China, Cyprus, France, Iran, Ireland, Mexico, Portugal, Russia,
of responses for each answer choice. Participants’ reported usage Singapore, Slovenia, Spain, Sweden, the UK and Ukraine.
changes in Section 2 were analyzed via one-way ANOVA. This
Types of anonymous services used
method was used to test if there was a statistically significant
All participants used the Tor network. Two (P24, P64) accessed
difference in participants’ reported behaviors between scenario
Tor only via Orbot. While several participants used Tails (28) and
conditions. Participants’ reasons for their reported behaviors
Orbot (11),7 anonymous networks such as I2P (8) and Freenet
were aggregated for all answer choices. We coded participants’
(6) were used less frequently. Other anonymous services used
open-ended reasons using an iterative process to identify recurring
included Briar, Ricochet, Torphone, Onion Share and Whonix.
themes [15]. After two coders disjointly coded an agreed random
sample of participants’ responses, they convened to consolidate Frequency of use of anonymous networks
an initial set of codes. Then the two coders re-coded all qualitative Twenty-seven participants used anonymous networks for ⇠25%
data on open-ended reasons and calculated the Cohen’s Kappa. of their online activities. Equivalent numbers relied on anonymous
6 Upon obtaining 15 participants who passed our attention checks in each
RESULTS
of the five groups (which allowed us to obtain 375 responses to each
Participants type of case, scheme and entity), we terminated the study.
In total, 331 participants began the survey but only 100 completed 7 Tails is an operating system that forces all internet connections via the
all scenarios. Of these, 54 participants requested remuneration Tor network, whereas Orbot is an Android application for accessing Tor.
Paper 561 Page 4CHI 2020 Paper CHI 2020, April 25–30, 2020, Honolulu, HI, USA
MS N Description MS N Description
M1 49 To keep different aspects of my identity separate from one another M2 24 To prevent harassment
M3 47 To contribute to the anonymous community for the benefit of other users M4 63 To avoid invasive use of my personal information
M5 51 To avoid revealing my personal information for reasons I consider inappropriate M6 15 To avoid financial attacks
M7 57 To prevent companies from making money from my personal information M8 17 For fear of my internet access being revoked
M9 40 To avoid discrimination based on my identity or my online activities M10 43 To avoid unknown threats
M11 36 For fear of exposure for political associations, opinions and/or related activities M12 26 For fear of legal sanctions, e.g. imprisonment.
To avoid commercial tracking of my participation to online communities To avoid accountability for my past actions
M13 54 M14 15
or projects or statements
To avoid potential retaliation from a business/service after I leave an online To avoid potential misuse of my personal
M15 22 M16 55
review information
To avoid losing control of my personal data and the ability to delete my For safety from unknown surveillance for
M17 45 M18 53
information unknown reasons
To avoid repercussions for my online activities that may be perceived as For safety against physical harms against one-self
M19 32 M20 24
unlawful or unethical and/or loved ones
Table 1. Motivations selected (MS) for seeking anonymity and number of participants (N) who selected each. Participants could select multiple motivations.
networks for ⇠ 75% (13) and less than 5% (13) of their online Effect of Scheme
activities. Twelve conducted all (i.e 100%), and 10 performed half We found a significant difference in the degree to which the type
(i.e. ⇠50%) of their online activities via anonymous networks. of scheme implemented affected participants’ change in anony-
mous network usage for their primary activity (Figure 2(b)), as
Primary uses of anonymous networks determined by one-way ANOVA (F(4,1870)=8.36,pCHI 2020 Paper CHI 2020, April 25–30, 2020, Honolulu, HI, USA
5.0 5.0 5.0
4.5 4.5 4.5
Reported Changes in Usage (μ)
Reported Changes in Usage (μ)
Reported Changes in Usage (μ)
4.0 4.0 4.0
3.5 3.5 3.5
3.0 3.0 3.0
2.5 2.5 2.5
2.0 2.0 2.0
1.5 1.5 1.5
1.0 1.0 1.0
ILLEGAL ILLEGAL ILLEGAL PHISHING SPAM ANONYMITY ANONYMITY BLOCKING BLOCKING WITH RATE-LIMITING ANONYMOUS ANONYMOUS COMMERCIAL GOVERNMENT NGO
COMMUNICATION DRUGS REPORTING REVOCATION REVOCATION TRUSTED THIRD NETWORK NODE SERVICE AGENCY
(a) (b) (c)
(1 ENTITY) (3 ENTITIES) PARTY (TTP) ADMINISTRATOR
Figure 2. Mean reported changes in usage of anonymous networks for each type of (a) case, (b) scheme and (c) entity (1: definitely decrease, 2: most likely
decrease, 3: undecided, 4: most likely unchanged, 5: definitely unchanged).
significant differences among other types of schemes. This shows consent of a third party enforced by anonymous nodes and an
that schemes involving anonymity revocation and trusted third NGO for phishing, illegal reporting and illegal drug sale cases.
parties schemes would deter usage more so than access-limiting
• Factor-specific users (31) were affected by one or more fac-
schemes, which are directly implemented by service providers.
tors, being case-conscious, scheme-driven and/or entity-based.
Effect of Entity – One-factor users (15) responded consistently for only
A significant difference was found between participants’ one factor, i.e. type of case (9), scheme (4) or entity (2)
self-reported changes in anonymous network usage based on while reporting variable changes in usage for the other
the type of decision-making entity, as determined by one-way two factors. Case-conscious users typically indicated no
ANOVA (F(4,1870)=3.64,p=0.0058). A Tukey post-hoc test change in usage for phishing or illegal drug sale cases or
revealed a significantly larger decrease in usage when government a decrease in usage for cases countering free expression,
agencies (µ = 2.13) are in charge relative to anonymous as shown by the lowest means for illegal reporting and/or
networks administrators (µ = 2.43, p = 0.025), and NGOs communication cases (Figure 2(a)). Scheme-driven users
(µ = 2.42,p = 0.0317), as shown in Figure 2(c) and Table 2. A reported a decrease in usage for revocable anonymity
t-test also found a significantly larger decrease in usage when schemes and/or no change in usage for one or more of
government agencies are in charge relative to anonymous network the access-limiting schemes. Entity-based users typically
administrators (p=0.0030), NGOs (p=0.0039) and anonymous reported a decrease in usage for government agencies.
nodes (µ =2.38,p=0.0127) in addition to a significantly larger – Two-factor users (12) responded consistently for two fac-
decrease in usage when commercial services (µ = 2.21) are in tors, i.e. types of case and scheme (5), case and entity (4),
charge relative to anonymous network administrators (p=0.0297) and scheme and entity (3) while having variable responses
and NGOs (p=0.0362). No other pairwise significant differences for the remaining factor. Of these, case-conscious users
were observed. This shows that participants distrusted government indicated a decrease in usage for illegal reporting and/or
and commercial entities more than other enforcing entities. communication cases, or no change in usage for spam and
phishing cases. Scheme-driven users reported a decrease
Participant Profiles in usage for revocable anonymity schemes and/or were
What influenced participants’ reported changes in anonymous undecided about access-limiting schemes. Entity-based
network usage? We examined whether participants always users reported a decrease in usage for government and/or
reported the same change in usage (i.e. decrease, undecided, commercial entities, or reported being unchanged or
or no change) or reported variable changes (e.g. ranging from undecided for one or more of the other three entities.
decrease to no change, etc.) for each type of factor. Our analysis – Three-factor users (4) responded consistently for all 3
revealed five distinct user profiles: factors simultaneously. They reported either a decrease
• Anonymity-conscious users (27) reported a decrease in in usage for illegal reporting or communication cases,
usage regardless of the types of entities, schemes or cases pre- revocable anonymity schemes and government agencies
sented. While 18 participants reported a decrease for all scenar- as enforcing entities, or no change in usage for spam and
ios, nine had one or two exceptions for which they reported no phishing cases, access-limiting schemes and NGOs.
change or were undecided, which typically involved blocking • Undecided users (3) were undecided regardless of the factors
or rate-limiting cases of spam or phishing as enforced by anony- involved. Two had an exception for which they reported a de-
mous network administrators, NGOs or anonymous nodes. crease in usage; these included a government agency blocking
users involved in an illegal drug case, and an anonymous net-
• Anonymity-indifferent users (9): Six users reported that work administrator blocking users for illegal communication.
their usage will remain unchanged regardless of the entities,
schemes or cases involved. Three others also reported no • Uncategorized users (5) had variable reported changes in
change with one exception for which they were undecided; usage for all entities, schemes and cases, so their behavior
these involved anonymity revocation or blocking with the cannot be explained by any factor shown in Figure 2.
Paper 561 Page 6CHI 2020 Paper CHI 2020, April 25–30, 2020, Honolulu, HI, USA
80 80
75 (a) CASES
Illegal communication
SCHEMES
Anonymity revocation by 1 entity
ENTITIES
Administrator
75 (b) CHANGES IN USAGE
Decrease in usage
Illegal drugs Anonymity revocation by 3 entities (consensus) Anonymous node
70 Illegal reporting Blocking Commercial
70 No change in usage
Percentage of times chosen by participants (%)
Undecided
Percentage of times chosen by participants (%)
Phishing Blocking with TTP Government
65 65
Spam Rate-limiting NGO
60 60
55 55
50 50
45 45
40 40
35 35
30 30
25 25
20 20
15 15
10 10
5 5
0 0
R1 R2 R3 R4 R5 R6 R7 R8 R9 R10 R11 R12 R13 R1 R2 R3 R4 R5 R6 R7 R8 R9 R10 R11 R12 R13
Figure 3. Reasons for participants’ reported changes in usage of anonymous networks divided by (a) type of factor and (b) reported change in usage.
RS N % Description RS N % Description
This functionality can be abused and applied I cannot verify that this functionality is used to
R1 970 51.73 R2 924 49.28
to other types of uses. counter only [case] and not other uses.
I would be more comfortable if this
This functionality can negatively affect other
R3 214 11.41 functionality involved consensus by more R4 824 43.95
anonymous users, not just me.
than only [number & type of entity].
R5 822 43.84 I do not trust the judgement of [entity] about [case]. R6 449 23.96 I think that [case] should not be countered.
An anonymous user’s identity should not be revealed
R7 249 13.28 [case] should be countered, but not by [entity]. R8 733 39.09
at any cost.
There is no mechanism to appeal the entity’s decision
R9 731 38.99 All users should have equal anonymous access. R10 515 27.47
while remaining anonymous.
R11 144 7.68 Other (open-ended response) R12 97 5.17 I do not wish to disclose my reason(s).
R13 316 16.85 I understand the value of this functionality for this scenario.
Table 3. Descriptions and overall statistics of the reasons selected (RS) by participants for their reported changes in usage in response to all scenarios. For each
scenario, factors italicized in brackets contained the [case], [scheme] and/or [entity] appearing in the scenario.
Reasons for Changes in Anonymous Network Usage Code & Description N Code & Description N
Participants reported several reasons for their changes in usage
O1: Anonymity O2: Lack of usefulness
of anonymous networks or lack thereof. Figure 3(a) shows the 53 29
compromised or desirability
percentage of times participants chose each reason depending
O4: Unwillingness
on the types of factors involved, Figure 3(b) shows the selected O3: Distrust 23 20
to participate
reasons based on participants’ reported change in usage and
O5: New security risks 17 O6: Ineffectiveness 13
Table 3 shows the selected reasons’ descriptions and overall
statistics. Our thematic analysis of participants’ open-ended O7: Resentment 11 O8: Disgust 10
reasons (R11) resulted in the set of codes described in Table 4 O9: Censorship 8 O10: Incomprehensible 5
(Cohen’s kappa k =0.731;pCHI 2020 Paper CHI 2020, April 25–30, 2020, Honolulu, HI, USA
in certain schemes, e.g. “I don’t want to register with any entity” of abuses they mentioned as shown in Figure 4. Table 5 shows
(P42). Others pointed out the lack of usefulness or desirability that participants aware of more serious abuses (i.e. physical harms
of some schemes and cases (O2:22), e.g. “The random computa- and illegal exchanges) reported a greater decrease in their anony-
tional puzzles take time to solve.” (P69), “I am pro-illegal drugs. mous network usage in response to various technical anti-abuse
People should be able to buy, sell, use and trade them...” (P47), mechanisms than those unaware or aware of non-physical harms.
and in response to a scenario involving illegal communication,
“...An anonymity network that attempts to provide only conditional PHYSICAL HARMS NON - PHYSICAL HARMS ILLEGAL SALES OTHERS
40
anonymity is like a democracy where voting for certain candidates
35
gets you executed. Either you have anonymity, or you don’t: there
NUMBER OF PARTICIPANTS
is no middle ground here, and trying to forcibly establish one 30
only results in inevitable abuse, and eventual abandonment once 25
enough users realize the betrayal.” (P50). 20
15
Anonymity-conscious users also frequently reported distrust 10
(R5:50.96%, O3:20) and resentment (O7:10) towards various 5
entities, especially government and commercial entities, in 0
addition to concerns about being unable to verify their actions
h
en
ns
gs
s
ng
s
s
ts m
t
e
e
it
t/s ng
g
s
s
e
en
ec
rie
e
ur
ag
ce
os arm
rm
ar
fe
in
en ris
rim
itm
po
ru
ki
ki
m
r
lk
w
pe
os
la
on
na
ha
te
fic
sm Hac
nm rro
ld
na
ta
ge
ea
h
(R2:57.48%) or appeal their decisions while remaining anony-
tp
H
c
xp
un
pi
ce
af
al
ed
ga
ke
U
x
e
w
rin
Es
/e
co
er
Se
T
tr
er
s/
en
e
ar
lth
nf
M
Ill
en
an
m
d/
m
cl
mous (R10:24.3%). While some expressed distrust for specific
ti
ea
ar
au
G
um
is
er
h
al
re
ra
st
Fr
ig
nd
ov
eg
H
Fi
ar
yr
a
U
i-g
Ill
at
entities, e.g. “judicial bodies doesn’t approve revolutions, but
H
op
D
nt
C
A
TYPE OF ACTIVITY
revolutions are much needed these days.” (P46), others did so for
all entities, e.g. “Allowing any entity the ability to regulate commu- Figure 4. Types of “malicious, criminal or unethical” activities conducted
nication invariably leads to the entity blocking communications via anonymous networks, as identified by participants. Some participants
about problems or criticisms of such an entity” (P27) and warned mentioned several different activities. Sex crimes involve materials contain-
of external influences (O12:3), “...all non-government bodies can ing illegal or child pornography/abuse, rape, etc. Hacking covers botnet
just be forced without warrant to surrender data.” (P27). attacks, spam, phishing, ransomware, money tumbling, etc. Fraud includes
counterfeit documents, money laundering, etc. Espionage includes dumping
Among factor-specific users, those influenced by all three factors government and corporate secrets. Illegal marketplaces include illicit ser-
vices like organ markets and crime-for-hire. General harms are non-specific
simultaneously more frequently selected reasons about the mentions of “abuse”, “criminal activities”, etc. Undisclosed harms include
potential abuse (R1:81%) of various technical mechanisms and instances where users reported awareness but did not reveal any abuses.
their negative impact on others (R4:79%), distrust of entities
(R5:64%) and inability to verify (R2:88%) or appeal (R10:83%)
their decisions, and the right to maintain anonymity (R8:44%, All but one participant reported observing the activities they men-
R9:50%) than users influenced by only one or two factors. tioned on forums and chat rooms accessible via anonymous net-
Factor-specific users also pointed out the ineffectiveness (O6:3) works. One participant witnessed similar uses in the physical
of some mechanisms, e.g. “spam classifiers aren’t very accurate” world: “Streets of my city have stickers with *.onion addresses pro-
(P15), and the lack of usefulness or desirability (O2:2) of others, moting illegal drug retail” (P20). Two participants added personal
e.g. “Registration of every user defeats the purpose of the views, stating, “...I don’t believe online markets should be banned.
network anonymity” (P36). Some indicated concerns about They build a safe space and a community to share opinions and
incomprehensibility (O10:4) and censorship (O9:5), e.g. “What reviews for substances” (P23), and, “I am familiar with...markets
is ‘illegal communication’? Sounds like censorship like China such as silkroad, agora, etc. They were...typically how the media
doesn’t allow communication with human right activists, press tries to portray every user of the web who likes anonymity” (P70).
or uncensored messengers/e-mail-provider.” (P37) in addition
to distrust (O3:2), e.g. “ANY entity, non profit or otherwise is ran
by people. people are inherintly biased and cannot be expected Type of abuse n µ s 95% CI
to apply rules fairly and unanimously” (P54).
Non-physical harms 27 2.43 1.42 [2.32, 2.54]
Anonymity-indifferent users most frequently selected only Illegal sales/exchanges 43 2.20 1.28 [2.12, 2.27]
reasons regarding the right to maintain anonymity (R8:40.88%, Physical harms 21 2.16 1.32 [2.05, 2.27]
R9:42.67%). Undecided users most frequently opted to not General harms 12 1.96 1.20 [1.83, 2.10]
disclose their reason(s) (R12:48.0%). Among uncategorized Undisclosed harms 5 1.66 0.92 [1.50, 1.83]
users, one participant raised concerns about anonymity being Unaware 8 2.87 1.74 [2.63, 3.11]
compromised (O1:4), including for schemes involving only
blocking by service providers, “While ZKPs [zero-knowledge Table 5. Reported mean changes in usage of anonymous services for
participants aware of different types of abuses.
proofs] are good, this feature would still partition the anonymity
set of the network into blocked and non-blocked users” (P58).
Impact of Prior Knowledge Impact of Investigators’ Existing Practices
Sixty-seven participants were aware of various abuses of anony- Fifty-eight participants indicated being aware of investigators’
mous networks while the remainder 8 had no such awareness. We practices to identify certain anonymous users via software
categorized participants’ free-form responses into three main types vulnerabilities whereas 17 participants reported being unaware.
Paper 561 Page 8CHI 2020 Paper CHI 2020, April 25–30, 2020, Honolulu, HI, USA
Participants aware of investigators’ existing practices (58) An early discussion of the technical issues facing revocable
Table 6 summarizes the responses of such participants. Thirty-four anonymity schemes identified fundamental security flaws in their
participants were affected by investigators’ practices in various architecture [29]. It suggested that the potential for its abuse might
ways, e.g. “I try routing most...of my traffic over anonymous ser- lead users to place less trust in the anonymous network even when
vices. That way, metadata is much noisier to correlate against any the revocation mechanism is not exercised. Our results empirically
particular internet activity” (P39) and “I keep it as up to date as show that revocable anonymity schemes indeed deter the use of
I can. I also use it a bit less than I otherwise would” (P63). Eigh- anonymous networks for several intended and legitimate purposes.
teen participants stated that investigators’ use of software vulnera- We also show that this decrease in usage is driven by several
bilities had no effect on their anonymous network usage. Of these, factors, including the inability to limit the counter measures to
five believed that they had not breached any laws or had nothing specific abuses and distrust in the judgement of enforcing entities
to worry about, e.g. “I do not use Tor for anything that makes involved. Our study also corroborates prior findings on the
me afraid of investigators” (P35). Others gave multiple reasons, criminal and unethical content found via scanning onion services
including “No. That privacy can be compromised does not mean [14, 40, 57, 79] since our participants reported a wide range of
I should give up entirely” (P55). Six participants did not directly harmful activities they had observed or become aware of.
answer how investigators’ practices affected their own anonymous
network usage. They made comments, e.g. “Makes me feel un-
easy. I neither have faith in these agencies’ intentions, nor in their Revocable anonymity: security and trust implications
competence to keep these bugs secret” (P60), and “...We all end Although revocable anonymity schemes have not been imple-
up paying for those who decided to do illegal stuff” (P36). mented for the Tor network, the AN.ON communication system
deployed a feature to track future connections from users in case
Participants unaware of investigators’ existing practices (17) of a valid court order. This revocable anonymity feature came
When asked how knowledge of investigators’ practices would in response to a 2003 legal request against a server hosting child
change their own anonymous network usage for their primary ac- pornography in Germany and was criticized by many users despite
tivity, 11 said their usage would “remain unchanged”, 4 said their being made transparent via changes to the open source code [8].
usage would “decrease”, 1 was undecided and 1 did not respond. While the AN.ON case highlights the precarious balance between
the two needs of strong anonymity and crime prevention, our
DISCUSSION AND IMPLICATIONS study shows that revocable anonymity mechanisms would deter
We wanted to understand how technical schemes developed to several legitimate uses of anonymous networks. This is evidenced
address anonymous abuses may impact the legitimate uses of by the significantly greater decrease in anonymous network usage
anonymous services. We found that a number of social and techni- associated with revocable anonymity schemes and participants’
cal factors affect users’ preferences and should considered in the more frequent concerns about anonymity being compromised
design and enforcement of potential counter-abuse mechanisms. for such schemes relative to access-limiting schemes.
Since schemes involving anonymity revocation and third parties
Relation to prior work alter the trust model of decentralized anonymous networks by
By grounding technical anti-abuse schemes in concrete scenarios introducing new trusted parties or giving existing entities greater
with specific cases and entities, we empirically demonstrate par- power, participants’ concerns about security risks and entities be-
ticipants’ greater opposition to cases countering communication ing susceptible to external influence are plausible. Such concerns,
and reporting of censored topics (which are crimes in some juris- especially prevalent among anonymity-conscious users, are not
dictions) relative to other cases. Our work supports the notion that unfounded in light of companies succumbing to pressure from
free expression without tracking and censorship are the intended foreign governments to censor specific content, as in the case of
[20, 33, 34, 60] use cases of anonymous networks. In showing the Apple removing VPN apps from its China App store to comply
relative distrust of government and commercial entities, we extend with Chinese censorship [63]. Even in cases where the third party
prior work on users’ motivations for seeking anonymity [38, 39, enforcing revocable anonymity is well-trusted, they can make the
44, 76], which depicted such entities as oft-reported threat actors. overall system vulnerable to abuse or political meddling, as has
CHANGE IN USAGE (34) PARTICIPANTS NO CHANGE IN USAGE (18) PARTICIPANTS
Being more cautious and vigilant in P1⇤ , P6/⇧. , P14⇧ , P21⇤ , P23⇤ , No expectation of being P20⇧. , P25/ , P35⇧ , P56⇤ ,
setting up/using anonymous networks P53⇤ , P69⇤ targeted by investigators P65‡
P4⇤ , P13/ , P21⇤ , P23⇤ , P29/⇧. , Not having many highly critical
Keeping software updated P28‡ , P30⇤ , P46⇤
P31/⇧ , P32. , P37⇧ , P53⇤ , P59/ , P63⇧ personal uses of anonymity
Using multiple layers of security P1⇤ , P10. , P34/ , P39/ , P40⇤ , P15/. , P26/⇧ , P64† , P72‡ ,
No reason provided
(i.e. additional tools and add-ons) P41⇤ , P52⇤ , P58‡ , P67⇤ , P70/. P74/⇧ , P75/
Only using anonymous tools via public networks P29/⇧. , P31/⇧ , P32. Means of circumventing investigators exist P16±
Not connecting personal data to online persona P18⇤ , P29/⇧. , P32. , P59/ Ability to check open-source code P51⇤
Increasing the use of anonymous networks P39/ Unwillingness to give up privacy entirely P55 ±
Decreasing the use of anonymous networks P3/⇧. , P50⇤ , P52⇤ , P63⇧ Disturbed by investigators’ practices P2/.
P9,/⇧ P13/ , P27⇤ , P37⇧ , P43⇤ , P17/⇧. , P19⇤ , P36⇧. ,
Avoiding JavaScript and vulnerable software OTHER (6)
P47⇤ , P54/ , P57± , P68⇤ P60† , P66± , P73±
Table 6. Impact of investigators’ use of software vulnerabilities on participants’ usage of anonymous networks. Participants’ profiles are also shown:
⇤ Anonymity-conscious; / case-conscious; ⇧ scheme-driven; . entity-based; ± anonymity-indifferent; † undecided; ‡ uncategorized.
Paper 561 Page 9CHI 2020 Paper CHI 2020, April 25–30, 2020, Honolulu, HI, USA
been the case with Interpol being politically influenced by author- LIMITATIONS AND CHALLENGES
itarian regimes to arrest dissidents and human rights activists [3]. We used a survey methodology since we wanted to engage with a
population of users that valued their anonymity. While this method
Since participants aware of more serious abuses (i.e. physical
ensured their anonymity, it also limited us in further probing par-
harms and illegal exchanges) reported a greater decrease in their
ticipants to get more detailed responses. Given our targeted pop-
anonymous network usage, this suggests that such participants
ulation and distribution method, we required only Sections 1 and
view the proposed technical mechanisms as making anonymous
2 to be compulsory in order to retain participation. While 96.7%
networks more insecure or susceptible to abuse.9 While most
participants answered all questions in Sections 1-5, we missed one
participants aware of investigators’ use of software vulnerabilities
of two responses for two participants in Section 4 and for three par-
improved their security practices as a result, most of those unaware
ticipants in Section 5. In Section 6, only 46 (61.3%) participants
reported no change in their anonymous network usage upon find-
provided all demographic information, 7 (9.3%) did not report any,
ing about investigators’ existing deanonymization methods.10 This
and the remainder partially answered demographic questions.11
suggests that existing investigative practices of de-anonymization
pose less risks for users than built-in lawful access mechanisms to Participants could only report changes in anonymous network
selectively revoke anonymity, which is consistent with arguments usage ranging from decrease to no change for our scenarios. This
by security researchers that engineered lawful access mechanisms constraint may have biased their responses as some participants
would introduce new security risks into communication networks might have chosen to increase their usage in response to anti-abuse
[1, 11]. In light of mounting attacks on anonymity [18, 42, 50, 58, mechanisms. However, we believe that such users would leave
65], revocable anonymity schemes would exacerbate the security their usage unchanged at most either because of their belief that the
concerns already associated with anonymous networks. technical schemes would not substantially impact their anonymity
or because of their lack of concern for the impact on their own
anonymity. Additionally, our results might not have included more
Implications for design and policy anonymity-conscious users, who may have decided against partici-
Our results have three main implications for addressing anony- pating. Our survey platform, Qualtrics, required JavaScript, which
mous abuses. First, technical schemes should not be introduced is deactivated by the Tor Browser’s highest security setting. This
to enable a third party to broadly target anonymous users for any feature could have deterred some users from taking our survey.
type of abuse. Schemes should only counter specific well-defined
abuses without infringing on users’ human rights. CONCLUSION
Second, anonymity revocation would be especially harmful if the Using a survey-based experiment that situated technical schemes
revocation authority is a local government agency or a commercial for addressing anonymous abuses in the various social contexts in
service that could easily track user’s communication. This could which they could be implemented, we show that different factors
lead to unintended consequences, e.g. an authoritarian regime affect several legitimate uses of anonymous networks. Our 75
could seek to reveal the identity of anonymous activists reporting participants had five main types of profiles. While our participants
news critical of the government either by itself or by coercing were significantly less opposed to addressing spam and phishing
other entities to do so. Anonymity revocation compromises the in- attacks, they distrusted government and commercial entities more
tended goal of anonymous networks, especially since several users than other types of enforcing authorities. Our participants re-
seek anonymity predominantly to evade threats. Such schemes garded schemes involving anonymity revocation and third parties
also introduce additional insecurities, rendering anonymous net- as more undesirable than those only involving access limitations
works more susceptible to abuse. Hence, access-limiting schemes, such as blocking or rate-limiting. We also found that participants
which aim to only block or rate-limit abusive users, would be with prior knowledge of more serious abuses reported a greater
more consistent with the threat model of anonymous networks. decrease in usage of anonymous networks in response to the
anti-abuse schemes, which reflects concerns about the potential
Finally, while some schemes allow anonymous users to check for abuse of such technical schemes. Knowledge of investigators’
whether or not they have been blocked by specific service current deanonymization practices resulted in more participants
providers [6, 70], technical mechanisms proposed so far do not adopting better security practices as opposed to decreasing their
allow anonymous users to verify why particular abuses were usage, which further indicates the greater security risks associated
addressed (e.g. why certain connections were blocked or rate- with revocable anonymity schemes. Since participants most fre-
limited). To gain the trust of anonymous users, schemes should quently raised concerns about schemes being abused to negatively
be adopted in a manner that enables verification of the decision- impact other anonymous users in a non-verifiable manner, we
making criteria and the actions of the entities enforcing them. suggest that anti-abuse mechanisms be tailored to counter specific
Incorporating the ability to appeal the decisions of the enforcing abuses in a manner that allows users to verify the actions of the
entity while remaining anonymous should also be considered. enforcing entities and anonymously appeal particular decisions.
9 Several users who highlighted security risks (P47, P50), external ACKNOWLEDGMENTS
influences (P27, P50) and distrust of entities (P1, P19, P27, P37, P42, Our thanks go to David D. Clark for his invaluable assistance
P46, P47, P50, P52, P54, P58) in open-ended reasons mentioned and discussion on this topic. Wajeeha Ahmad and Ilaria Liccardi
physical harms (P1, P27, P46, P50, P54, P58), illegal exchanges (P1, were supported by the William and Flora Hewlett Foundation.
P27, P37, P42, P46, P50, P52, P54, P58), and general harms (P47, P52).
10 Eight participants reported a decrease in their anonymous network 11 Some provided all demographic data except their countries of
usage due to investigators current deanonymization practices. Of these, nationality (16) and residence (13) while 6 others had varying missing
4 reported being aware of such practices while 4 reported being unaware. demographic data, e.g. missing gender, employment or education levels.
Paper 561 Page 10You can also read
